Uploaded image for project: 'Product Roadmaps'
  1. Product Roadmaps
  2. MMF-2146

SonarQube default setup enforces user authentication

    XMLWordPrintable

    Details

    • Type: MMF
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Labels:
      None

      Description

      WHY

      When SonarQube is installed, by default, the product is totally open so that new users can easily discover and evaluate it:

      • you don't need to log in to analyze a new project
      • when a project is created, anyone can see and browse the source code

      This configuration can too easily let the instance exposed when it goes into production and becomes available on the Internet. This is a security risk for SonarQube users who don’t master the process to secure the installation.

      WHAT

      We want SonarQube to provide a default setup which:

      • decreases the risk for having uncontrolled SonarQube and disclosed sensitive data
      • but does not introduce friction for the first time exploration of SonarQube

      Use cases

      • As a user who discovers SonarQube, I want to easily be able to run a project analysis and discover the functionalities of the product.
      • I want to be able to share the results of my investigation to my teammates/hierarchy and to let my colleagues analyze additional projects.
      • When I am ready to go into production, I want my instance to, by default, not be at risk i.e. to not expose sensitive data and to not be open to malicious use. Without extra effort from my side, my instance does not allow any unwanted person to see the projects, to analyze a new project or to administer the instance.

      Acceptance criterias

      • It should be easy for a user who doesn’t know SonarQube to discover the product: only a very few steps should be required to analyze a project and see the results in SonarQube.
      • The default setup of SonarQube should make it secured so that it can go into production without any specific need for an administrator to manually reinforce the security.
      • We want to implement a minimal increment to secure by default new instances, but not any extra mile to:
        • force a password policy
        • force tighter security practice
        • preconfigure SonarQube for higher performance

      What changes

      • On new instances, SonarQube default configuration will now enforce user authentication

      The administrator as well as every authenticated user can access the instance.

      - Project default visibility will remain public

      Every authenticated user can browse the projects and see the source code

      - The default permissions will remain permissive

      Every authenticated user can create and analyze any project.

      - As it is today, an empty Projects page invites you to analyze a project, and project creation guides you to create a token -> An authenticated user can easily run a first analysis for a project.

      Out of scope

      • With the first "admin" login in the UI, the user can be asked to changed the password.
      • The About page becomes much less visible and could be dropped. It currently presents a recap of the main concepts which should rather be well explained into the very first pages of the documentation. If authentication is not enforced, the default homepage for anonymous users could become the Projects page.

      How?

      Technical changes

      • Set default value to true for ‘sonar.forceAuthentication’ anywhere it is used see usage of: “org.sonar.api.CoreProperties#CORE_FORCE_AUTHENTICATION_PROPERTY”
      • That change will require to adjust ITs especially the UI and the one which uses scanner (pass token or user/password).
      • Make sure that upgraded instances behave as they were previously.

      Settings

      • We'll update description of a property in the Settings so that it will highlight the risk behind disabling authentication.

      Documentation

      • Update scanners pages if necessary
      • Find a place in docs to explain that authentication will be required
      • Other places?

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              christophe.levis Christophe Levis
              Reporter:
              christophe.levis Christophe Levis
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: